malwarewikiaorg-20200223-history
KeRanger
KeRanger (also called OSX.KeRanger.A) is a ransomware trojan for MacOS. It was released after the site of the Transmission BitTorrent Client was hacked, with the hackers uploading a new version of Transmission containing the trojan. The file was briefly digitally signed, allowing it to bypass security warnings from Apple Gatekeeper. The Ransomware was first discovered by Palo Alto Networks, it was then added to their malware database, and was written about on their blog two days later. The signature was later revoked by Apple, and it is stated before running that it contains malware. There was also an update notice in later versions of Transmission saying that an upgrade is highly recommended and that the new update will automatically remove the malware if the system not already encrypted. It is currently unknown how the files on Transmission's website were altered, but starting on March 4th, 2016 the legitimate download was replaced with a malicious version that installed KeRanger. Furthermore, this malicious version was digitally signed using a valid certificate for a Turkish company. This certificate ended with the (ID Z7276PX673). It is believed that KeRanger is a partially re-written version of the Linux.Encoder.1 ransomware. This was first discovered by BitDefender decompiling the ransomware and seeing similarities in most of the algorithms. Payload When a user installed and executed the malicious version of the Transmission application, an included file called General.rtf was copied to ~/Library/kernel_service and executed. General.rtf is the main executable for the KeRanger ransomware and was masquerading as a RTF (Rich Text Format) document containing a Mach-O executable, packed with UPX. dropped to the Resources folder. After running the client, the trojan would run in the background of the system. Once this file is copied to kernel_service and executed it will create two files called ~/Library/.kernel_pid and ~/Library/.kernel_time. The kernel_pid file contains the process ID for the running kernel_service process and the .kernel_time file will contain a timestamp of when the ransomware was first executed. KeRanger will then sleep for three days and by comparing the current time with the timestamp stored in the .kernel_time file, will awaken after three days have passed. Once awakened, KeRanger will contact one of three TOR Command & Control servers and send information about the machine and receive an encryption key that it will use to encrypt the victim's files. The known Command & Control servers that KeRanger attempts to connect to are: lclebb6kvohlkcml.onion.link lclebb6kvohlkcml.onion.nu bmacyzmea723xyaz.onion.link bmacyzmea723xyaz.onion.nu nejdtkok7oz5kjoc.onion.link nejdtkok7oz5kjoc.onion.nu Once an encryption key is received from the Command & Control server, KeRanger will scan all of the files under the the /Users and /Volumes folders for files that contain certain extensions. Due to its scanning of the /Volumes folder, any external drives plugged into the computer would also be scanned and encrypted. When a matching file is found it will encrypt it using AES encryption and add the .encrypted extension to the filename. For example, test.jpg would become test.jpg.encrypted. The file extensions targeted by KeRanger are: .3dm, .3ds, .3g2, .3gp, .7z, .ab4, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .ads, .ai, .ait, .al, .apj, .arw, .asf, .asm, .asp, .asx, .avi, .back, .backup, .bak, .bank, .bay, .bdb, .bgt, .bik, .bkf, .bkp, .blend, .bpw, .cdb, .cdf, .cdr, .cdx, .ce1, .ce2, .cer, .cfp, .cgm, .class, .cls, .cmt, .cnv, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cs, .csh, .csl, .csv, .dac, .db, .db3, .dbf, .dbr, .dbs, .dc2, .dcr, .dcs, .dcx, .ddd, .ddoc, .dds, .der, .des, .design, .dgc, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .ebd, .edb, .eml, .eps, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flv, .fm, .fp7, .fpx, .fxg, .gdb, .gray, .grey, .grw, .gry, .hbk, .hpp, .ibd, .idx, .iif, .indd, .java, .jpe, .jpeg, .jpg, .kdbx, .kdc, .key, .laccdb, .lua, .m4v, .maf, .mam, .maq, .mar, .maw, .max, .mdb, .mdc, .mde, .mdf, .mdt, .mef, .mfw, .mmw, .mos, .mov, .mp3, .mp4, .mpg, .mpp, .mrw, .mso, .myd, .ndd, .nef, .nk2, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nwb, .nx1, .nx2, .nyf, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .oil, .one, .orf, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pages, .pas, .pat, .pbo, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .pip, .pl, .plc, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .ps, .psafe3, .psd, .pspimage, .ptx, .pub, .puz, .py, .qba, .qbb, .qbm, .qbw, .qbx, .r3d, .raf, .rar, .rat, .raw, .rdb, .rm, .rtf, .rwz, .sas7bdat, .say, .sd0, .sda, .sdf, .snp, .sql, .sr2, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tex, .tga, .thm, .tlg, .txt, .vob, .vsd, .vsx, .vtx, .wav, .wb2, .wbk, .wdb, .wll, .wmv, .wpd, .wps, .x11, .x3f, .xla, .xlam, .xlb, .xlc, .xlk, .xll, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xpp, .xsn, .yuv, .zip, .tar, .tgz, .gzip, .tib, .sparsebundle In each folder that a file is encrypted, KeRanger will also create a ransom note titled README_FOR_DECRYPT.txt. This ransom note contains information on what happened to the victim's files and instructions on making the payment. Inside the ransom note is the address for the TOR payment site that the victim's must connect to in order to pay the ransom and download the decryptor. This ransom note will explain that the files have been encrypted and the only way to get them back is to pay a 1 bitcoin ransom. In order to pay the ransom, the victim needs to go to the fiwf4kwysm4dpw5l.onion site, make a ransom payment, and then download their decryptor. When a victim goes to this site they will be shown a login prompt where they will need to enter the bitcoin address that was listed in the ransom note. Once the victim logs in with their assigned bitcoin address they will be shown a page that contains a list of support requests that were created by the victim. At the top of every page on the payment site will also be the options to perform a free decryption of one file, the ransom amount that the user must pay, the bitcoin address the user must send the payment to, and how much has been paid. In the navigation header is also a link to a FAQ page where there are answers to frequently asked questions. Finally, KeRanger will create a file called ~/Library/.kernel_complete that contains the string "do not touch this". The presence of this file is to probably indicate that the computer has already been encrypted and that further executions of the ransomware do not encrypt the same data another time. Removal Lawrence Abrams put together a tool that can be used to assist in removing the KeRanger infection from a Mac. When executed, this tool will quarantine all the files associated with the KeRanger infection and also create a list of all encrypted files on the Mac. It will not decrypt the encrypted files for the user. Once the user download the tool simple double-click on the KeRanger-Removal-Tool.zip file to extract the application. Once the application is extracted, double-click on it to start the program. To start the program, click on the I Agree button and the program will begin to search for signs of the malicious version of Transmission, unmount it if detected, quarantine the KeRanger files, and then create a list of the encrypted files on your Mac. When it is done, there will be 2 new files on your desktop called keranger-remover.txt and encrypted_files_list.txt. The Keranger-remover.txt file is a log file that describes what has been detected on the user's computer and the encrypted_files_list.txt file will contain a list of all the encrypted files on the user's computer. Finally, there will be a folder on your desktop called keranger-quarantine, which contains all of the files removed by the tool. Please note that some of the KeRanger files start with a period (.) and will be hidden in Finder. The only way to view these quarantined files is in Terminal. Category:Virus Category:MacOS Category:Ransomware Category:MacOS ransomware Category:MacOS trojan Category:Backdoor Category:MacOS backdoor Category:MacOS virus Category:Trojan